Deleted session variables after session_regenerate_id()

Question

I'm trying to get my head around PHP Sessions.

I'm using ShortPHP as a router, but the ShortPHP code doesn't touch sessions.

The template has session_start() as the first line:-

<?php 
session_start();
include 's.php';
var_dump($_SESSION);
$sid = session_id();
echo $sid;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>

This template is executed first for every page (I've added the first few lines (var_dump etc) in order to debug), followed by the specific page code. In this instance, I'm using the following code:-

<?php
if (!defined('S')) die ("You've got no S"); // part of ShortPHP - irrelevant

if (!isset($_SESSION['login']) || $_SESSION['login'] != "1") {
        echo "<p>Session is NOT set</p>";
        //header() redirect to login here...
        //exit();
}

$sri = session_regenerate_id();
var_dump($sri);

 ?>

If I comment out session_regenerate_id() then the session variable (login) is still available after reloading the page, but with session_regenerate_id() enabled, the session variable is deleted when I reload the page. Note that session_regenerate_id() returns true every time.

I've even gone as far as to read the session stored on the server, and the file for the original session has the session variable data within it, while, after a page reload, the new session file has no variables (file size is zero).

Am I doing something wrong here?

Answer 1

The cause was session.cookie_secure being set in php.ini when https wasn't used. Once I removed that setting, the session lasted between page refresh.

Answer 2

Usually it's a good idea to pass true as a parmeter to session_regenerate_id(); as that will remove the old session data.